navigating china’s cybersecurity regulations · requires monitoring new/adjusted in 2019/2020...
TRANSCRIPT
Jost Wü[email protected]
Tiffany [email protected]
Camille [email protected]
Markus [email protected]
Navigating China’s Cybersecurity Regulations
Sinolytics Primer – Linking cybersecurity issues to your business needs
2
1
2
3
China’s dynamic cybersecurity regulations
Industry impacts
Sinolytics value proposition
Sinolytics Cybersecurity Services
Profile Key expertise areas Approach
Primary source and Chinese-language research
Problem-solving and developing tailored solutions
Flexible delivery formats: strategies, reports, workshops
Depth in content, while strong in contextualization
China’s innovation and technology policies impacting corporate strategies and offering cooperation opportunities
Extensive expert network and research partners
The Belt and Road Initiative – with focus on challenges and opportunities for foreign logistics, finance and EPC sectors
China’s digital transformation with focus on Blockchain, digital currency, e-Commerce and Insurance/FinTech
Policy/regulatory analysis, monitoring & forecasting (e.g. SCS, sustainability, cybersecurity, industrial policies)
3
• Founded in 2018, Sinolytics is a client-serving, agile boutique consultancy with offices in Berlin, Zurich and Beijing
• Uniquely blending in-depth research with management consulting approach to value delivery
• Operating at the nexus of business and policy and analyzing China’s political economy, Sinolytics advises companies from across business sectors and functional areas
• 40 + clients, including some of the largest and most respected foreign companies operating in China
Cooperation/partnerships (e.g. tech-transfer/partnerships, subnational/city-partnerships, trade associations)
Sinolytics – a European research-based consultancy focused on China
Sinolytics Cybersecurity Services
Sinolytics Cybersecurity Services4
MLPS 2.0 网络安全等级保护
Cybersecurity Law
网络安全法
In force since 7/2017
All network operators have to determine their MLPS level and implement according cybersecurity measures
Critical Infrastructures 关键信息基础设备运营者
Critical Infrastructure Operators (CIIOs) have to comply to many additional requirements on top (draft)
Cross-border data transfer 信息数据出境安全
Transfer of personal and/or important data to recipients abroad must be reviewed and is subject to approval (draft)
Personal data protection 个人信息保护
Cybersecurity Law establishes many new requirements for companies:
Network products and services 网络产品和服务
Requirements for protection of personal data are getting tighter
CIIOs have to get approval when buying routers, switches, PLC equipment or other key network products and services
Further impacts posited by issues such as encryption (VPN), cyberthreat information publishing, app certification, etc.
Companies have to cope with a complex and dynamic array of implementing regulations and standards in cross-cutting areas
Companies have to comply with many supporting regulations of the Cybersecurity Law
China’s overall cybersecurity regulatory framework is changing quickly
5
Regulations/standards already in place
Draft Regulations Expected regulations
Requires monitoring New/adjusted in 2019/2020
2017 Cybersecurity Law
CIIO Network Products & Encryption Personal Information (PI) Cross-border Data Transfer
PI Security SpecificationMeasures on Cybersecurity Review
MLPS 2.0
Draft MLPS 2.0 Regulations
Reg. on the Security Protection of CII
PI Protection Law
Reg. on Cross-Border Transfer of Personal Data
Encryption Law
Draft measures on data security
Grading guidelines for classified protection
Baseline for CP for cybersecurity
Implementation guide for CP for Infosys
Testing & evaluation guide for CP
General requirements for CP of cyber security I - V
Guide for de-identifying PI
Tech. Reqs. for CP Security Mgmt Center
PI Security impact assessment guide
PI notification consent guide
Guidelines for cross-border transfer security assessment
PI Outbound Transfer Security assessment measures
Network key equipment security tech. reqs. - General reqs
Network key equipment safety -technical reqs
Basic reqs for CII network security protection
CII security control measures
More regulations & standards expected
More regulations & standards expected
Basic Specification for Collecting PI on Mobile Apps
General Reqs for InfoSys Encryption Application
General Security Technical Reqs for Information Systems
Technical reqs. for security design for CP
Capability reqs for organization of CP
More regulations & standards expected
Security requirements for database management systems
Network Vulnerability Scanning Product Security Technical Reqs
Operating system security technical requirements
Requirements for Basic Network Security Technology
Sinolytics Cybersecurity Services
More regulations & standards expected
More regulations & standards expected
Sinolytics Cybersecurity Services6
Cybersecurity has been gaining momentum since 2017 Many national regulations are already implemented, more to come
Number of industry-specific regulations per industry area
0
10
20
30
40
50
60
70
80
90
100
110
120
130
1995 2000 2005 2010 2015 2020
# of cumulative national regulations
0
10
20
30
General Industry Specific
# of regulations by area
CIIOMLPS Network Products
Encryption Data Protection
Draft
Implemented
Other
7
Health
7
Finance
12
Cybersecurity regulatory framework is expansive and complex
Source: Sinolytics research
7
Encryption
• CIIO Determination• CIIO Requirement
Gap Analysis• Gap Closure Support• CIIO Strategy
Social CreditAutomotive
• Level Determination• Requirement Gap
Analysis• Gap Closure Support• External Assessment
and Filing
• Connecting Sinolytics’ automotive experience with Cybersecurity
• Links between Cybersecurity Regulation and Social Credit System
• Cross-Border Data Transfer Assessment
• Identifying Specific Review Requirements
• Implement Review
• Encryption Law Provisions
MLPS 2.0 CIIO
• CIIO Procurement Rules
• Network Product and Services Catalogue
App Certification
Cybersecurity Strategy
• Emerging Voluntary System for App Security Certification and the Benefits
• National and Local Cybersecurity Policy
• Monitoring/Forecasting New Rules
Finance
• Connecting Sinolytics’ finance experience with Cybersecurity
Cross-border Data transfer
Personal Data Protection
• Identifying sensitive personal data
• Privacy policy advice• Data anonymization
assessment
Network Products
Health
• Connectic digital health business models with Cybersecurity
Our service focuses on the topics below, tailored exactly to your needs
Information Publishing
• Rules for Reporting/ Publishing Security Incidents
Secure & Controllable
• Scoring system for security & controllability of IT products
Sinolytics Cybersecurity Services
Sinolytics’ Cybersecurity and Personal Data Expertise
Sinolytics Cybersecurity Services8
MLPS 2.0 sets rules for all companies that operate networks (“network operators”) to increase security protection capabilities, including the ability to prevent threats, detect security incidents and recover after damage
• The number of technical requirements in various security areas increase for higher MLPS 2.0 levels
• Network operators are obligated to conduct a self-assessment
• Above level 2 are subject to extra expert evaluation• Above level 2 need to file with local public security bureaus
Level 1
Civilians
Public
Nat’l Security
Level 2 Level 3 Level 4 Level 5
DamageSerious Damage
Damage
Very Serious Damage
Serious Damage
Damage
Very Serious Damage
Serious Damage
Very Serious Damage
Level 1 Level 2
122
Level 5Level 3 Level 4
189
53
204
Companies need to grade their MLPS 2.0 level…
Level Grading depends on the potential damage a cybersecurity incident can create for various objects:
Network Boundary Security
O&M Management Security
Management Personnel Security
Construction Management Security
Management Org. Security
Security Management
Management Center Security
Computer Environment Security
Telecomm Network Security
…and comply with corresponding requirements
Requirementsnot published
OR OR
OR OR
MLPS 2.0All firms operating networks have to follow MLPS 2.0 requirements
Source: Cybersecurity standards and Sinolytics research
Sinolytics Cybersecurity Services9
…but some companies could possibly be expected to be CIIOs based on draft guidelines
Financial
Telecomm.
Health
Production
• Bank operators• Securities and futures trading• Insurance
• Data center/cloud services• Voice, data, internet network and
hubs
• Health institutions such as hospitals • Disease control• Emergency centers
• Intelligent manufacturing system • Operation and control of high-
risk industrial facilities
Companies that are CIIOs face further cybersecurity requirements (examples)
• Cybersecurity Law only provides general definition: CIIOs may gravely harm national security, the national economy, the people’s livelihood and the public interest once sabotaged
• It is likely that any company categorized above Level 3 of the MLPS 2.0 will be a CIIO
CIIOs are not yet clearly defined…
CIIO
• Regulations for Critical Information Infrastructure Operators (CIIOs) are still at draft stage• Possibly affected companies have to prepare in a situation of high uncertainty
Water conservancy
City infrastructure
• Long-distance water delivery• Urban water source • Water conservancy hub
• Sewage treatment• Urban rail transit• Smart City operation & mgmt
Asset risk assessment: CIIOs have to conduct a risk assessment of all assets (incl. data, facilities) towards public/national security in case of data breach
Data storage: CIIOs have to store important and sensitive personal information in separate data servers
Supply chain: All network providers and servicers to CIIOs have to undergo cybersecurity review procurement procedures and a security risk report
Post-incident recovery: Post-cyber incident recovery requires instant back-up system
Critical Information Infrastructure Operators face extensive requirements
Triggers for the review
Potential impact of network products and services on national security
The network product and services review process
• Requirements apply to a list of key network products
• These products must undergo a security review
Providers of key network products must pass technical reviews
CIIOs must ensure their products are safe and controllable
Network Products & Services
Principles taken into account
• Data control: Make sure no data can be illegally obtained/ processed
• Controllability: Ensure that the products cannot be manipulated
• Product choice: Make sure that the purchasing party is not deprived of its right to choose products and services
➢ Router ➢ Switch ➢ Server➢ Firewall➢ …
Point-based score review
General requirements Technical requirements
Detailed requirements exist for each of the products
Sinolytics Cybersecurity Services10
Network products and services: CIIOs and providers in the regulatory spotlight
Sinolytics Cybersecurity Services11
• Companies face new security assessment and approval procedures for data transfer abroad• All companies that are network operators and transfer personal data outside the borders of China will be affected
• All companies transferring personal and&orimportant data abroad undergo a one-time security assessment and contract procedure for each data recipient
• Uncertainties remain; e.g. if group companies are to be treated as a separate or entire entity
• Implementation of “Measures on the Security Assessment of the Cross-border Transfer of //Personal Information” implementation is imminent
Implications for companies
Multi-party impactsData transfer contracts require coordination and assessment of data sender and data recipient
Cross-entity data protection coordinationIncreased record-keeping and assessment require increased coordination among MNC entities
Increased spot-checksProvincial CACs will inspect transfer records in a randomized manner
Management and structureData security compliance team required and work norm processes for data transfer security need to be established
Companies will face extra compliance costs with new cross-border data transfer requirements, e.g:
Cross-border Data Transfer
New cross-border data transfer regulation and standards not yet officialized…
…but already present new data transfer requirements for MNCs
• Standard on Cross-Border Data Transfer Security Assessment likely to be officialized very soon
Companies face challenges of new cross-border data transfer requirements
Sinolytics Cybersecurity Services12
Human resources
Finance and accounting
Marketing/e-commerce
• Employees’ address, personal phone number, e-mail address
• Position, work unit, education, degree, education experience, work experience, training record, transcripts
Client-facing
functions1)
Each business function needs to draft its own privacy policy and make it accessible to the individuals from whom it collects data (e.g. employees, customers)
• Clients’ address, personal phone number, e-mail address
• Software usage records, click records, favorite lists
• Education data• Data about personal devices,
including hardware serial number, device MAC address, software list, unique device identification code
• Bank account, deposit information (including the amount of funds, payment collection records)
• Client biometric records
Business Function Personal Data Collected
Implications for Companies• Employees’ work permit, access card, social security card
• Transaction and consumption records
• Website browsing records
• Health data• Banking data• Insurance data• Communication record and
content
Sensitive Personal Data
Personal data protection
• Client’s name, address, personal phone number, photos, nationality, job position
For all data: rules for how long the data is held and security requirements
Consent from the data subject is
required before collecting data for
each of the company's business
function that require data collection
Additional requirements for sensitive data
One data controller must be designated in each entity
Personal data protection rules impact many business functions within companies
1) data gathered dependent on industry
13
1
2
3
China’s dynamic cybersecurity regulations
Industry impacts
Sinolytics value proposition
Sinolytics Cybersecurity Services
Sinolytics Cybersecurity Services14
Industry Most Relevant Cybersecurity Regulations by Industry1)
Implications for MNCs and SMEs
IT
Automotive
Health/Pharma
Chemicals
Finance
Machinery
Retail
MLPS 2.0 CIIONetwork Products
Secure & Controllable
Cross-border Data transfer
Encryption Personal Data Protection
• IT & cloud companies listed as CIIOs face tough approval processes from authorities
• OEMs face additional cybersecurity regulation for vehicle software systems and ICV
• Sensitive personal data from clinical trials face tough regulations
• Data transfer partners can be CIIOs
• Data transfer partners can be CIIOs• DG data can be listed as important
data
• Industry-focused regulations for personal data treatment
• Likely to be CIIOs
• Some machinery parts may be subjected to increase scrutiny for network products
• Strict personal data protection requirements for eCommerce
1) Relevant cybersecurity regulations depend strongly on business models
Different industries are affected by a combination of cybersecurity regulations= will affect corporations
= possibly affecting corporations
Effects of regulations for industries stand for MNCs and SMEs, regardless of size
No vulnerabilities
Low vulnerabilities
Medium vulnerabilities
High vulnerabilities
High growth for digital healthcare in China
• In 2016, 58% of patients in China reported having shared technology information with healthcare professionals, compared to 26% in the UK, 17% in Sweden and 12% in Germany
During Covid-19, internet diagnosis and treatment1)
increased by 17 times, and consultations on 3rd-party Internet service platforms increased by 20 times.Life science firms and insurance firms are likely to benefit from expansion
COVID-19 has increased the market potential
Sources: Philips, China’s National Health Commission, Tencent 1) Includes in the hospitals under the administration of the National Health and Health Commission
But the industry suffers from high cybersecurity vulnerabilities
• In 2018, a total of 77% of hospitals’ patient apps had cybersecurity vulnerabilities
• In April 2020, China’s largest and first cross-border telemedicine app “Dr. Chunyu” was suspended for privacy violations
2020 Health Law emphasizes data
protection
Healthcare is highlighted as a
focus of cybersecurity
regulations
Specific healthcare cybersecurity
regulations in the making
Art. 49: “The state protects citizens ’personal health information and ensures the safety of citizens’ personal health information. No organization or individual may illegally collect, use, process, or transmit personal health information of citizens”
• "Key Information Infrastructure Security Protection Regulations” (2017): healthcare operators are CIIOs
• “Personal Information Security Specification” (2020): healthcare data is ‘sensitive information’
➔ This implies particularly strict requirements in all areas of cybersecurity and data protection
• Four specific regulations issued in 2018• National standards are being drafted
➔ Healthcare-related companies must prepare to specific cybersecurity requirements
Cybersecurity regulations have implications for healthcare infrastructure
6% 4%23%
67%
Industry: Healthcare
Sinolytics Cybersecurity Services15
Digital health: between market potential and heavy regulation
Sinolytics Cybersecurity Services16
• China’s burgeoning C-V2X (Cellular-Vehicle-to-Everything) connectivity system means that ICVs (Intelligent Connected Vehicles) will be connected to cellular network (LTE/5G) on the road, making them vulnerable to cyber attacks
• ICVs will see specific cybersecurity regulatory developments in the future
ICV 2020 Innovation Strategy on Cybersecurity
Likely RequirementsImplications for Auto OEMs
Build a comprehensive ICV cybersecurity system
Strictly implement national cybersecurity laws …establish a safety system covering key links in the industrial chain such as automobile manufacturers
Improve security protection capability in system functions
Build a combination of software and hardware protection systems, strengthen the safety and reliability of vehicle chips, operating systems, etc.
Hardware
SoftwareStrengthen data security protection and supervision
• Secure components requirements for parts incl. automatic driving system, interface T-boxes etc.
• Implement data collection, monitoring, protection, early warning system
• Securing software with firewalls and regular security checks and reports
• Ability to detect and analyze abnormal data behavior and revert to back-up emergency OS if network is hacked
Cybersecurity standards for ICVs are being drafted with organizations such as CATARC, expected in 2020. They can become relevant to homologation by 2022.
Regulations for ICV OS protection could point to stringent and costly data protection and monitoring processes, to the extent where local OS is required
Dedicated ICV cybersecurity team may need to be established for real-time monitoring data treatment, security protocols, recording and evaluation, post-event evaluation and analysis, etc.
Industry:Automotive
Strengthen investment in data security in areas such as: access control, identity authentication, data encryption, disaster recovery
Automotive industry: ICVs will be subject to extensive cybersecurity regulations
Industry:Finance
…but strict cybersecurity regulations for all financial institutions can impact operation models
• On April 1st 2020, China lifted foreign ownership limits on securities and fund management firms• Foreign companies can now set up wholly-owned units in the mainland and take part in a 45 tn USD financial services market• According to Bloomberg, foreign banks and securities companies could see profits of more than 9 bn USD a year in China by 2030
Foreign institutions are setting up to move into China
Asset Management
Securities
Other
• Applying for licenses for 100%-owned companies
• Approved for majority stakes in local joint ventures
• Greenlighted for first entirely foreign-owned insurance holding company in China
Risk Evaluation
Personal financial
data
• New industrial standard published early 2020
• Personal financial information categorized in three levels: C1, C2, C3
• Different levels face different restrictions in data collection, storage, and securitization
• “Specification for financial information service security” (GB/T 36618-2018) requires strict risk compliance for cybersecurity
• These include back-up requirements (e.g. on different servers) and post-incident response mechanisms
Due to type of personal data gathered financial institutions are likely to be categorized as CIIOs, and face additional restrictions
Foreign financial institutions have to face restrictive cross-border data transfer restrictions for personal financial data, which can pose extra challenges for data transfer limits and methods
Dedicated China-specific cybersecurity team need to be established to deal with extra data protection requirements, risk monitoring and evaluation, and cybersecurity trainings
Implications for Financial Institutions
Sinolytics Cybersecurity Services17
Foreign financial institutions: strict personal data protection rules apply
18
1
2
3
China‘s dynamic cybersecurity regulations
Industry impact
Sinolytics services
Sinolytics Cybersecurity Services
Compliance Roadmap
Gap AnalysisIdentifying needs through gap analysis and risk scoring
ImplementationGap-filling measures with respective costs and benefits
Enablement Capacity building, structuring internal processes, and coaching
Network Products
Personal Data Protection
Above service portfolio can include one or more relevant cybersecurity areas to your company:
Requirements Report
IdentificationSupport identifying cybersecurity status (MLPS, CIIO etc.)
Requirements AssessmentEvaluating requirements that apply to the client
1
MLPS 2.0 CIIO Cross-border Data transfer
Sinolytics Cybersecurity Services19
2
Sinolytics Service Portfolio Cybersecurity
LandscapingProviding the most up-to-date account of the regulatory framework
Strategy & Monitoring
StrategyBuild strategy to continuously deal with cybersecurity requirements
Anticipation & MonitoringDaily monitoring of drafts, new policies, regulations and standards
Early WarningGiving a timely signal for new requirements for early preparation and action
3
Business Strategy
AnticipationBusiness-case & monetization building amidst cybersecurity regs.
MarketBenchmarking compliance, 3rd party partnerships, market entry etc.
4
Secure & Controllable
Encryption Information Publishing
App Certification
Cybersecurity Strategy
Industry-specific regulation
Data StrategyOrganizing data management and flows to reduce compliance risks
Sinolytics Cybersecurity Services20
1 Level Grading
Network IdentificationIdentify client network systems and boundaries relevant for MLPS 2.0
Level gradingSupport in self-determining the MLPS 2.0 level regarding potential impacts for relevant objects
Self-assessment report Support in producing a report that can be provided to authorities or 3rd parties if required
Technical RequirementsList of requirements based on the graded level as defined in standards, also including encryption, personal data protection, etc.
Procedural RequirementsBased on the level, clarify necessary further steps, such as external review, approval from industry regulator and filing with public security bureau
2Requirements Assessment
3 Gap Analysis
Status Quo AnalysisEvaluate client’s current cybersecurity measures in accordance with MLPS level
Gap IdentificationIdentify potential compliance gaps against the backdrop of requirements and client‘s status quo
4Implementation & Enablement
Gap Closure RoadmapDefine a roadmap to close potential gaps and define specific measures to be taken
Document PreparationIn case of external review, approval or filing, formulate relevant materials and inputs for grading
Partnership EvaluationIn case of external review, identify local accredited 3rd party reviewers that provide best fit for client needs
5Continuous Compliance
StrategyDevelop a strategy to continuously deal with the MLPS 2.0 system
Monitoring ProcessBuild process to regularly update MLPS 2.0 assessment against regulatory dynamic and regular reporting duties
Communication ProcessBuild internal processes to communicate MLPS 2.0 related requirements among internal stakeholders
Sinolytics Service
MLPS 2.0 Compliance Service (Example) MLPS 2.0
Requirements Report Compliance Roadmap Strategy & Monitoring
21
Camille BoullenoisTiffany Wong
Tiffany is specialized in China’s industrial and technology policies as well as China’s cyber-governance and its quickly evolving cybersecurity and personal data protection regulations and standards. She has extensive experience facilitating business strategies for MNCs against the backdrop of China’s regulatory landscape. Prior to Sinolytics, she worked at an advisory group in Washington, D.C. analyzing China’s BRI debt structure. She holds an M.A. from Johns Hopkins in International Economics and China Studies and a B.A. from the University of Chicago in Political Science and International Relations.
ConsultantConsultant
Camille advises clients on regulatory compliance in the Chinese market and has strong mastery of data analytics tools and methods. Prior to Sinolytics, she worked as an analyst at China Policy, and contributed to the EIU, Oxford Analytica and the ECFR on topics pertaining to China’s social and economic issues. She is also a researcher at the Australian National University and has studied at Sciences Po (Paris) and Oxford; with many years of experience in China, she has an outstanding command of the Chinese language and political landscape.
Markus Herrmann
Director
Jost Wübbeke
Director
Markus is an experienced advisor to European corporate and public sector clients focusing on China’s foreign economic policy (esp. trade and supply chain policy) as well as regulatory topics such as the CSCS and cybersecurity regulations. Prior to Sinolytics, he worked as a Government Affairs & Advocacy Director with Bayer MaterialScience(now: Covestro) in China and as Management Consultant with Boston Consulting Group in its Shanghai, Hong Kong and Zurich offices. Markus holds a MLaw from the universities of Bern and Geneva focusing on international public law and WTO law and a CAS in Public Policy from ETHZ.
Jost is a leading expert on China’s industrial, technology, and automotive policy. He heads Sinolytics’ service portfolio for cybersecurity, internet governance, and e-commerce. Jost has consulted large MNCs and SMEs on their China cybersecurity strategy including MLPS, personal data, and cross-border data transfer. Previously, he headed the MERICS technology policy team, where he published groundbreaking analyses on Made in China 2025 and Internet Plus. He has a PhD from FU Berlin on China’s industrial policy. He also holds degrees in International Relations and China Studies from Berlin and Bochum and was a research fellow at Tsinghua University.
Sinolytics’ Cybersecurity Team
Sinolytics Cybersecurity Services
China insights and judgment at the nexus of business and policy
ContactSinolytics [email protected]